%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Safety research firm PromptArmor recently released a report revealing a severe security vulnerability in Microsoft's AI agent service Copilot Cowork, part of Microsoft 365. Attackers can exploit a technique called "indirect prompt injection" to secretly steal and leak confidential files from an organization's internal cloud storage without user approval.
Malicious Instructions Hidden in Office Templates
As an integrated AI assistant, Cowork has high-level permissions to send emails, post Teams messages, and retrieve internal information from OneDrive and SharePoint. However, researchers found that attackers can hide malicious instructions in web pages, documents, or seemingly ordinary office automation templates (such as "Weekly Work Review") to lure the AI agent into action.
Once a user asks Cowork to process a file containing malicious prompts, the AI agent will be manipulated into falsely claiming it needs to generate a document preview. Subsequently, it will automatically fetch pre-authenticated download links for sensitive files and send these links back to the attacker via Teams messages, all done secretly in the background, making it extremely difficult for users to detect.
Timing Tasks Increase Risk and Are Difficult to Prevent
The report points out that due to Copilot Cowork's ability to perform tasks automatically on a schedule, this significantly amplifies the security risk. For example, automated tasks like "Weekly Report Summary," which are set to run periodically, can trigger and execute the attack chain repeatedly in the background, even when the user is away from their screen and not actively using the system.
In security testing, this attack method achieved an impressive success rate of 100% across five tests. Worse still, administrators have limited visibility and control over such "skill files," and the vulnerability is not only effective in automatic mode but also remains exploitable when explicitly calling more powerful large models like Claude Opus 4.7.